From a layman’s perspective, information security architecture (ISA) is one segment of an organization’s enterprise architecture with a laser focus on securing enterprise data and information systems hosting that data.
What is information security architecture?
A more technical definition is provided by NIST (National Institute of Standards and Technology), which states that the “information security architecture is an integral part of the organization’s enterprise architecture. It represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of
security capabilities.”
Information security architecture sets the core of an organization’s information security posture, including fundamental information security policies and procedures that an organization has adopted. It covers human resource management and is linked with information systems. ISA is based on the business needs, priorities and risk appetite, and risk assessment and ensures that it reflects the company’s current and future information security needs.
Why should you have information security architecture?
First, having a well-thought-out ISA will serve as a guiding light for embedding information security at all levels, which will help in making informed decisions about implementing IT solutions and processes. And, mostly it is also critical to have a formal ISA if you want to remain in compliance with modern IS standards and legal environment.
The benefits of having an enterprise security architecture as part of an overall IT strategy can also be manifold. For example, a central ISA may result in a lower total cost of ownership because it will work against fragmentation of IS security implementation. Other benefits will be operational efficiency and interoperability/integration of information security solutions with existing IT infrastructure.
How to build information security architecture?
First, you must ensure you understand the business needs and overall IT strategy. Ideally, both should be in sync with each other. This will help you build an information security architecture that will be aligned with your enterprise business strategy.
Identification of threats and vulnerabilities is the next step. Suppose you currently do not have a current architecture in place. In that case, you will do the risk identification, risk assessment, and risk treatment to identify risks and match the existing and deficient controls to address these. If you would already have an ISA, you will update it based on the current and latest information security threats and updated controls requirement.
Some of the critical risks to be considered include risks related to Confidentiality, integrity, and availability. These may include data protection, cyber-attacks, hardware and software malfunctions, or disaster-level events.
The next step will be identifying technologies that can help you manage security at the enterprise level. For example, central privilege management, security of email servers, backup solutions, disaster recovery, business continuity plans, etc.
It is also important to assess that the ISA can satisfy the compliance requirements for legislation or standards like SOX, PCI DSS, or HIPPA. Recently GDPR compliance has also become a focus area for information security architecture.
Perhaps more importantly, the enterprise must consider the ISA as a continuous effort because the threat landscape keeps evolving for IT systems, and so must the enterprise so that it remains agile and prepared with necessary controls.
Challenges in creating an information security architecture
One of the biggest challenges to the success of any ISA is getting users’ cooperation. Any information security control that IT puts in place brings a little inconvenience for the user. The strategic managers must carefully evaluate the benefits versus costs (including user inconvenience) and then communicate and engage with the end users to educate them about the need for such controls and their benefits.
Another significant challenge is the coordination between different departments within the enterprise. IT challenges can not be met solely by information technology teams. The cooperation from end-user departments in implementing IT security and management of risks is vital to its success.
It is also a challenge to get buy-in from all stakeholders and get them to understand the priority of information security in today’s IT-powered business.
One challenge that many IT managers face when creating information security architecture is that it may not be very straightforward to calculate the return on investment from IT hardware and software tools needed to protect enterprise IT infrastructure because these are not sales products from the company.
Which frameworks are popular for information security architecture?
Some of the most popular frameworks for ISA include COBIT (Control Objectives for Information Technologies) from ISACA, SABSA (Sherwood Applied Business Security Architecture), and TOGAF (The Open Group Architecture Framework).
Companies may opt for any enterprise information security architecture framework based on their needs, though the critical underlying objective for all these frameworks is controlling risks against the enterprise.
One key benefit of using these frameworks is that they already list the key risks and controls against them, and the companies may start implementing them. Moreover, compliance against these usually facilitates compliance against standards and legal provisions.